SnapGuard: Lightweight Prompt Injection Detection for Screenshot-Based Web Agents

TL;DR

SnapGuard is a lightweight, multimodal detection method that identifies prompt injection attacks on screenshot-based web agents by analyzing visual stability and textual signals, achieving high accuracy with low computational cost.

Contribution

The paper introduces SnapGuard, a novel lightweight detection approach that effectively identifies prompt injection attacks on visual web agents without relying on large vision-language models.

Findings

SnapGuard achieves an F1 score of 0.75 in detecting attacks.

It is 8 times faster than GPT-4-based methods.

It introduces no additional memory overhead.

Abstract

Web agents have emerged as an effective paradigm for automating interactions with complex web environments, yet remain vulnerable to prompt injection attacks that embed malicious instructions into webpage content to induce unintended actions. This threat is further amplified for screenshot-based web agents, which operate on rendered visual webpages rather than structured textual representations, making predominant text-centric defenses ineffective. Although multimodal detection methods have been explored, they often rely on large vision-language models (VLMs), incurring significant computational overhead. The bottleneck lies in the complexity of modern webpages: VLMs must comprehend the global semantics of an entire page, resulting in substantial inference time and GPU memory usage. This raises a critical question: can we detect prompt injection attacks from screenshots in a lightweight manner? In this paper, we observe that injected webpages exhibit distinct characteristics compared to benign ones from both visual and textual perspectives. Building on this insight, we propose SnapGuard, a lightweight yet accurate method that reformulates prompt injection detection as multimodal representation analysis over webpage screenshots. SnapGuard leverages two complementary signals: a visual stability indicator that identifies abnormally smooth gradient distributions induced by malicious content, and action-oriented textual signals recovered via contrast-polarity reversal. Extensive evaluations across eight attacks and two benign settings demonstrate that SnapGuard achieves an F1 score of 0.75, outperforming GPT-4o-prompt while being 8x faster (1.81s vs. 14.50s) and introducing no additional memory overhead.